Managing CloudBees Core plugins in a secured environment

Many organizations' security policies require CloudBees Core infrastructure to be installed and implemented in a secured/air-gapped [1] environment.

However, components of your CloudBees Core infrastructure (masters in particular) may often require access to artifact repositories on the Internet, since:

  • Artifacts and dependencies from such external trusted sources may need to be incorporated into the builds of build projects on these masters.

  • Such external trusted repositories may house plugins that greatly extend the functionality and integration features of CloudBees Core.

These scenarios can be resolved by implementing (within your network infrastructure) a proxy artifact repository, which in itself has:

  • access to the Internet, as well as

  • network access to CloudBees Core.

Use-case solution

This use-case solution describes how to manage plugins with CloudBees Core’s plugin catalog feature in a secured environment using a proxy artifact repository. [2] A CloudBees Core on traditional platforms instance will be used to update the Beer plugin version 1.1 (specified in a plugin catalog) to version 1.2. [3]

  1. Begin with a CloudBees Core on traditional platforms installation, consisting of a single Client Master component and the Operations Center component.

    Note
    Both of these components must be configured together as part of the same CloudBees Core installation (either on the same machine if you are testing out this procedure or on different machines on the same network). However, both these installed components must not have access to the Internet.
  2. Create a Maven proxy repository to proxy the CloudBees repository https://repo.cloudbees.com/content/repositories/dev-connect/. This CloudBees repository aggregates the CloudBees plugins and the Open Source plugins distributed by https://repo.jenkins-ci.org/releases/. To help identify the groupId and artifactId of the plugins you can, for the Open Source plugins, browse the Open Source repository https://repo.jenkins-ci.org/releases/ and, for the CloudBees plugins, look at the "Maven coordinates" of the desired plugins on https://release-notes.cloudbees.com/.

    Note
    You may prefer to use Nexus Artifact Repository as your artifact repository system, since a free (OSS) edition of this software is available. However, your chosen artifact repository system must have access to the Internet, and therefore be installed on a different machine to your CloudBees Core installation’s components.
  3. Copy the following plugin catalog code snippet (for the Beer plugin 1.1) and save it to a file with the name plugin-catalog-file.json:

    {
        "type" : "plugin-catalog",
        "version" : "1",
        "name" : "my-plugin-catalog",
        "displayName" : "My Plugin Catalog",
        "configurations" : [
            {
                "description" : "My Plugin Catalog for Masters versions 2.121 to 2.138.1.2",
                "prerequisites": {
                    "productVersion": "[2.121, 2.138.1.2]"
                },
                "includePlugins" : {
                    "beer": {
                        "groupId": "org.jenkins-ci.plugins",
                        "version" : "1.1"
                    }
                }
            }
        ],
        "settings": {
            "repository": {
                "layout": "maven2",
                "url": "https://nexus.mycompany.com/repository/cloudbees-core-plugins/"
            }
        }
    }

    Read more about this process in the documentation for defining a plugin catalog.

  4. Add the plugin catalog to Operations Center and then validate the plugin catalog’s suitability for the Client Master.

  5. Deploy the plugin catalog to the Client Master and then verify the plugin catalog’s deployment to the Client Master.

    You should see the Beer plugin version 1.1 appear in the plugin catalog’s Included plugins list, which means that this plugin (and its indicated version) can now be installed to this Client Master.

  6. Install the Beer plugin version 1.1 to the Client Master.

  7. Now, update the plugin catalog on Operations Center to use the Beer plugin version 1.2. Following this procedure, tweak the plugin-catalog-file.json file according to the following code snippet, and re-add this modified plugin catalog file to the Operations Center.

    {
        "type" : "plugin-catalog",
        "version" : "1",
        "name" : "my-plugin-catalog",
        "displayName" : "My Plugin Catalog",
        "configurations" : [
            {
                "description" : "My Plugin Catalog for Masters versions 2.121 to 2.138.1.2",
                "prerequisites": {
                    "productVersion": "[2.121, 2.138.1.2]"
                },
                "includePlugins" : {
                    "beer": {
                        "groupId": "org.jenkins-ci.plugins",
                        "version" : "1.2"
                    }
                }
            }
        ],
        "settings": {
            "repository": {
                "layout": "maven2",
                "url": "https://nexus.mycompany.com/repository/cloudbees-core-plugins/"
            }
        }
    }
    Note

    Compared to the original plugin-catalog-file.json snippet above, the "version" : "1.2" (within the "includePlugins" block) is the only line of the entire code snippet which is different.

  8. Ensure that you have re-validated and re-deployed the updated plugin catalog to the Client Master.

  9. You should now be able to update the Beer plugin on the Client Master to version 1.2.

This use-case solution demonstrated how you can control which Internet-based plugins are permitted on your secured CloudBees Core installation "as code." From a plugin maintenance perspective, your CloudBees Core master behaves as if it were connected directly to the Internet.

The plugins defined in the CloudBees Assurance Program are provided in the CloudBees Core WAR files and the plugins defined in the plugin catalog are indirectly downloaded from the Jenkins Community Maven artifacts repository (via the proxy artifact repository you configured above).

To sum up, this CloudBees Core and proxy artifact repository configuration provides a secure and stable CloudBees Core installation with tightly controlled access to the Internet.


2. The proxy artifact repository configuration processes mentioned in this use-case solution are also applicable to managing artifacts and dependencies (from external/Internet-based trusted artifact repositories) for incorporation into build projects.
3. Although this use-case solution utilizes CloudBees Core on traditional platforms, the processes described on this page are also applicable to CloudBees Core on modern cloud platforms installations.